Reputation: 5001
What is the best way to use mysql_real_escape_string and htmlspecialchars while saving data in CakePHP?
I am using FCKEditor with CakePHP and when I save data sent from the editor I want to run the htmlspecialchars() and mysql_real_escape_string() functions on the data to clean it before I store it in my database. The problem is I am not really sure where to do this within the CakePHP framework. I tried in the controller like this:
function add()
{
if (!empty($this->data))
{
if ($this->Article->save(mysql_real_escape_string(htmlspecialchars($this->data))))
{
$this->Session->setFlash('Your article has been saved.');
$this->redirect(array('action' => 'index'));
}
}
}
However $this->data is an array and those functions expect strings so that won't work. Do I do it in the validate array of the model? I have no idea. Also, let me know if running htmlspecialchars() inside of mysql_real_escape_string() is not a good practice.
Upvotes: 1
Views: 3309
Answers (3)
Reputation: 51
If you are building your own SQL strings with CakePHP, then CakePHP provides the escape function:
escape(string $string, string $connection)
http://book.cakephp.org/view/1186/escape
Upvotes: 1
Reputation: 338128
The short and simple answer is - if the database access has been abstracted away, there is no need for you to call these functions at all.
The only place where they are needed is if you build actual SQL from bits of strings. Which you should not do anyway, but that's another story.
Bottom line is - the framework will do the right thing, don't interfere.
EDIT: As Bill Karwin points out - htmlspecialchars() is from the completely wrong department here.
Upvotes: 1
Reputation: 562230
Don't use htmlspecialchars() when you save data, use it when you output data to HTML. What if you need to look at the data in some context other than HTML?
Also I'm not a Cake user, but I'd be surprised if you need to apply mysql_real_escape_string() as you save data either. The database access layer should protect you against SQL injection, and by doing it manually you're going to end up storing doubly-escaped strings.
Upvotes: 2
Related Questions
- When you absolutely have to manually escape SQL in CakePHP 3.4.7
- How do you escape SQL data in CakePHP?
- How can I prevent CakePHP from escaping data on a save?
- Codeigniter MySQL security, htmlspecialcharacters & mysql_real_escape_string?
- Sanitizing data / SQL injections in CakePHP
- cakephp escape function or mysql_real_escape_string is not safe?
- Saving and Displaying HTML and special characters in a mysql database safely?
- CakePHP saving values to MySQL database as HTML encoded value
- htmlspecialchars
- Type of string escape done defaultly by cakePHP